Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement (mirrored in the “Terms & Conditions”) between each Corporate Client (which acts as the “Controller”) and Webnorth ApS (which acts as the “Processor”), both also herein onwards referred to as the “Parties”, for the provision of Webnorth ApS “Services” as set forth therein (the “Services”).

Webnorth “Services” consists of the development and/ or hosting of websites and “Apps” for its Corporate Clients plus (where required) inherent IT support and maintenance, while potentially Processing Personal Data under the Legal Basis of a Contractual Obligation before the Controller.
Effective from the date when the Corporate Client starts using the “Services” (via its Logged In users into either Webnorth SaaS Cloud based solutions or Webnorth Software on prem at that Corporate Client or in one IT Service Landscape owned/ managed by that Corporate Client), the terms of this DPA shall apply to Personal Data (as defined below) that the “Processor” processes in the course of providing the “Services” under the Agreement. The “Controller’s” continued engagement of the “Processor” is conditioned upon the “Controller’s” agreement to the terms and conditions of this DPA.


The “Parties” agree as follows:

Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with the “Processor” or the “Controller”. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise. 

Data Privacy Laws” means Directive 2002/58/EC, the General Data Protection Regulation 2016/679 (“GDPR”), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, supplements, re-enacts or consolidates any of them and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in a relevant jurisdiction including, where applicable, the guidance and codes of practice issued by supervisory authorities. 

Model Clauses” means the standard contractual clauses as adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU and available at (as amended or updated from time to time).

Relevant Country” means all countries other than those within the European Economic Area and countries, territories or specified sectors in respect of which a valid adequacy decision has been issued by the European Commission or adequacy determined in another valid method under applicable Data Privacy Laws.


1.0 Data Protection

1.1. For the purposes of this DPA, the terms the “Controller”, “Data Subjects”, “Personal Data”, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach” and “Supervisory Authority” shall have the meaning given to them by applicable Data Privacy Laws.

1.2. The “Controller” undertakes to comply with all applicable Data Privacy Laws (including having a documented adequate Legal Basis for the Processing of Personal Data)and shall not knowingly cause the “Processor” to breach the ruling and requirements under such Laws.

1.3. The “Processor” will only Process the “Controller” Personal Data on documented instructions from the “Controller” (which includes the actions taken on the “Services” by the “Controller’s” users), and will not otherwise Process the “Controller” Personal Data unless required to do so by law, in which case, where legally permitted, the “Processor” shall inform the “Controller” of the such legal requirement before Processing.

1.4. The subject-matter of the data Processing is the performance of the “Services” and the Processing will be carried out until the date that the “Processor” ceases to provide the “Services” to the “Controller”. The obligations and rights of the “Controller” are as set out in the “Terms of Service”. Schedule 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data the “Processor” Processes, and the categories of Data Subjects whose Personal Data is Processed.

1.5. The “Parties” will implement appropriate technical and organizational security measures in line with industry best practices (including ensuring that its personnel who are authorized to process the Personal Data have committed themselves to appropriate confidentiality obligations and shall take steps to ensure the reliability and competence of the personnel who have access to the Personal Data) to ensure a level of security appropriate to the risks that are presented by the Processing of the Personal Data including as a minimum, those measures contained in applicable Data Privacy Laws (such as but not limited to, encryption, penetration testing, and pseudonymization) as well as measures set out in Schedule 2 of this DPA fulfilling the following: access control to premises, facilities, data, and systems as well as availability, disclosure, job, input and segregation control. The technical and organizational measures are Subject to technical progress and further development. The “Parties” may amend the technical and organizational measures, provided that the new measures do not fall short of the level of security provided by the current measures in place.

1.6. In case of a suspected Personal Data Breach which may affect the Personal Data under Processing and has not originated on the “Controller” or its users’ actions while using the “Services”, the “Processor” will:

1.6.1. Take action immediately at the “Processor’s” own expense, to investigate the suspected Personal Data Breach and to identify, prevent and mitigate the effects of the suspected Personal Data Breach to remedy the Personal Data Breach;

1.6.2. Notify the “Controller’” within 36 hours of becoming aware of such a Personal Data Breach and provide the “Controller” with a detailed description of the Personal Data Breach including: The likely impact of the Personal Data Breach The categories and approximate number of Data Subjects affected and their country of residence and the categories and approximate number of records affected The risk posed by the Security Breach to Data Subjects The measures taken or proposed to be taken by the “Processor” to address the Personal Data Breach Provide timely updates to this information and any other information the “Controller” may reasonably request relating to the Personal Data Breach

1.6.3. Not release or publish any filing, communication, notice, press release, or report concerning the Personal Data Breach without the “Controller’s” prior written approval (except where required to do so by law or the lives or physical integrity of natural persons may be at risk).

1.7. The “Processor” will (at no additional cost) provide such information and assistance to the “Controller” as it may reasonably require (and within timescales reasonably specified) to allow the “Controller” to comply with its obligations under applicable Data Privacy Laws, including assisting the “Controller” to (i) comply with its legal obligations;

1.8. The “Processor” will promptly, at the choice of the “Controller”, securely delete or return all the “Controller” Personal Data after the termination of the “Services” and confirm in signed writing that this has been completed, unless otherwise provided by law.

1.9. The “Controller” acknowledges and agrees that the “Processor” may retain appropriate Affiliates and other suitable third parties as “Sub-Processors” in connection with the provision of the “Services”, having imposed on such “Sub-Processors” in a written agreement, the same data protection obligations as are imposed on the “Processor” under this DPA. the “Processor” will be liable to the “Controller” for the performance of such obligations by the “Sub-Processor’s”. A list of “Sub-Processors” approved in writing as of the date of this DPA has been made available to the “Controller” as of the date hereof. the “Processor” may change this list by not less than thirty (30) days notice in writing thereby allowing the “Controller” to object to such changes. 

1.10. The “Controller” acknowledges that as part of the “Services” the “Controller” Personal Data may locate in or accessed from the US or another Relevant Country. Where this involves the “Processor” or its Affiliates, the following Clauses apply:

1.10.1. Where the “Processor” processes Personal Data in the course of providing the “Services” that originate from the EEA, UK, and/or Switzerland, the “Processor” agrees to comply with (and shall ensure any “Sub-Processor” complies with) the provisions of the Model Clauses that apply to data importers, which are incorporated by reference and form an integral part of the Agreement. The “Processor” acknowledges that the “Controller” will be the data exporter.

1.10.2. The “Controller” agrees to grant third-party beneficiary rights to Data Subjects as set out in Clause 3 of the Model Clauses, provided that the “Processor’s” liability shall be limited to the “Processor’s” own Processing operations;

1.10.3. The “Controller” agrees that its obligations under the Model Clauses shall be governed by the laws of the Member States (or the UK as applicable) in which the “Controller” is established;

1.10.4. The “Parties” agree that for clauses 5(h) and 11 of the Model Clauses, the “Controller” consents to the “Processor” “Sub-contracting its Processing operations in accordance with the provisions set out in Clause 1.11 of this DPA;

1.10.5. The “Parties” agree that any rights of audit, according to clauses 5(f) and 12 (2) of the Model Clauses, will be exercised in accordance with Clause 1.9 of this DPA; and

1.10.6. The “Parties” agree that Schedules 1 and 2 of this DPA will take the place of Appendices 1 and 2 of the Model Clauses respectively.

1.10.7. It is not the intention of either party or the effect of this DPA, to contradict or restrict any of the provisions outlined in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail. In no event does the DPA restrict or limit the rights of any Data Subject or any competent supervisory authority.


2.0 Miscellaneous

2.1. The obligations set forth herein shall survive so long as the “Processor” and/or its “Sub-Processors” process the “Controller” Personal Data.

2.2. Any failure by the “Processor” to comply with any of the provisions of this DPA or applicable Data Privacy Laws shall be considered a material breach of the Agreement. 

2.3. The terms of this DPA supersede and extinguish any and all terms relating to data protection or Personal Data in the Agreement. In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this DPA.

Data subjects

The Personal Data transferred concern the following categories of Data Subjects:
Prospective Customers and Customers of the “Controller”

Categories of data

As described on the Controller’s Privacy Policy

Processing operations

The Personal Data transferred will be Subject to the following basic processing activities:
Hosting and processing in the sense of both enabling communications, and the performance scheduling and CRM activities by the “Services” over Personal Data, which constitutes “Profiling” activities as determined under the GDPR by the Controller over its Prospective Customers/ Customers.



1. Access control of processing areas
The “Parties” hereby commit to having implemented adequate measures in order to prevent unauthorized persons from gaining access to the data processing equipment used to process the Personal Data. This is accomplished by:Having performed a Corporate DPIA as determined under article 35 of the GDPR based on market best standards (e.g. ISO 27001 and ISO 27701; ISO 19000; SOC2; other…); raised existing non-compliance points and having defined, documented and implemented adequate mitigation actions.

2.  Access control to data processing systems
The “Parties” hereby commit to having implemented suitable measures to prevent its data processing activities from being used by unauthorized persons. This is accomplished by:
Technological Mechanisms as well as Policies have been set in place to mitigate any potential risk of having the Personal Data under Processing’ Security and Confidentiality compromised by allowing unauthorized 3rd parties access to it.

3.  Access control to use specific areas of data processing systems
The “Controller” ensures that the natural persons who acts as its users before the “Services” are only able to access the data within scope and to the extent covered by their respective access permission (authorization as defined by the “Controller”) and that the Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by:
Having stratified users and attributed access permissions as per user profile based on needed professional activities that contribute to the delivery of the “Services”, plus having set in place operational and technological safeguards.

4.  Transmission control
The “Processor” has implemented suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.

5. Instructional control
The “Controller” ensures that Personal Data may only be processed in accordance with the “Terms of Service”. This is accomplished by the “Controller’s” users having clearly defined roles within the scope of the “Services” and observing by the legal requirements while accessing the Personal Data under Processing.